Some disassemblers like IDA or Ghidra take an exe and output the instructions. Other disassemblers require the user to parse the PE header, isolate binary for the instructions and pass that in.
I'm trying to learn to use the Capstone Python API, but the .py documentation only ever shows a buffer of isolated instructions being passed, like so:
# test1.py
from capstone import *
CODE = b"\x55\x48\x8b\x05\xb8\x13\x00\x00"
md = Cs(CS_ARCH_X86, CS_MODE_64)
for i in md.disasm(CODE, 0x1000):
print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))
But I want to do something like:
CODE = open("test.exe", "rb")
Without having to personally parse the PE headers to isolate the instruction data. Does Captone's API support this?
Capstone is architecture-independent. It doesn't understand PE files or elf files. You just feed it bytes of machine language for whatever processor you have.